VMware Horizon Community
HendersonD
Hot Shot
Hot Shot
‎09-30-2019 12:04 PM

Anyone using a VDI session as a Privileged Access Workstation (PAW)?

We have a number of IT staff whose login give them elevated privileges on our network including a couple of domain admins. I want to create a second regular user login for each of them. I could provide them with two workstations

  • Login on one using regular user credentials - they can use this workstation to browse the web, read email, and other such activities that are prone to having the workstation picking up malware, viruses, and trojans. These login credentials if compromised would not give anyone elevated privileges
  • Login the other workstation using credentials that give the user elevated privileges. This would strictly be used to administer the network, no web browsing or email

Have two workstations per user gets cumbersome so we thought about using a VDI session for one of these roles

  • Login the workstation with the elevated account, open a VDI session to browse web, read email, etc
  • Login the workstation with the non-elevated account, open a VDI session to used tools like Active Directory Users and Computers

Is anyone using a setup like this?

0 Kudos
2 Replies
sjesse
Leadership
Leadership
‎09-30-2019 12:11 PM

So if you follow

Why Privileged Access Workstations can help secure your organization | Microsoft Docs

if I remember right privledged user can't be on the same blades as non privileged accounts, the idea being if the blade gets compromised through a security vulnerability non privleged accounts could get access to the privleged accounts through the hypervisior.

That being said we do that, I have a desktop pool that our IT team uses on an dedicated subnet and haven't ran into any issues. In general people logon to there workstations as local users and then use privleged accounts or non privledged accounts in the vdi image. We do require if they use privledged accounts on the vdi images, there is 2fa process that is needed as well.

0 Kudos
rbasore213
Contributor
Contributor
‎02-05-2021 07:46 AM

Great Question:

This post is over a year old but I thought I would add some context around PAW/SAW devices. VDIs are not a great PAW/SAW as the idea is that the trust starts at the endpoint. This mitigates a keylogger threat as well as the ability to scope administration consoles to specific computers. 

From a security prospective the below statement is an issue as a PAW/SAW Should be a physical device. 

  • Login the workstation with the non-elevated account, open a VDI session to used tools like Active Directory Users and Computers

One idea that we have used to mitigate the carrying around two laptops is create a restricted PAW managed by Intune (more details can be provided if needed) is an expansion on your idea "Login the workstation with the elevated account, open a VDI session to browse web, read email, etc" We deploy a local VDI running on Hyper-V. This allows for a Tier 1 hypervisor to be used for security separation. It also allows for the PAW requirement to be met. 

Considerations:

1. Enable Virtual TPM so Bitlocker can be used
2. Enable Remote Desktop with NLA and firewall rule from PAW only to allow Webcam, MIC and speakers to be passed to the Virtual Machine.
3. Consider managing the Virtual Machine just like all your other computers. We managed ours with Intune just like the PAW. We have an automated image that will auto join it to Intune on import of the Hyper V VM. 
4. Image for Hyper-V is hosted in clean source cloud storage accessible only to PAW Users. 

 

 

 

0 Kudos